@guilz-dev/belay 0.1.0

package/dist/commands/health-snapshot.js

@@ -0,0 +1,166 @@
+import { existsSync } from 'node:fs';
+import { readFile } from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+import { getClaudeManagedHookEntries } from '../adapters/claude/hooks.js';
+import { getCodexManagedHookEntries } from '../adapters/codex/hooks.js';
+import { getAdapterLayout } from '../adapters/layouts/index.js';
+import { resolveScopedPaths } from '../adapters/layouts/scope.js';
+import { detectAdapterName, loadLayeredConfig } from '../config-io.js';
+import { diagnoseJudge } from '../core/judge-doctor.js';
+import { getManagedHookEntries } from '../defaults.js';
+import { sandboxStatus } from '../services/sandbox-service.js';
+function skillCandidates(adapter, repoRoot) {
+    const projectAgent = adapter === 'cursor'
+        ? path.join(repoRoot, '.cursor')
+        : adapter === 'claude'
+            ? path.join(repoRoot, '.claude')
+            : path.join(repoRoot, '.codex');
+    const home = os.homedir();
+    const globalAgent = adapter === 'cursor'
+        ? path.join(home, '.cursor')
+        : adapter === 'claude'
+            ? path.join(home, '.claude')
+            : path.join(home, '.codex');
+    return [
+        path.join(projectAgent, 'skills', 'belay', 'SKILL.md'),
+        path.join(globalAgent, 'skills', 'belay', 'SKILL.md'),
+    ];
+}
+async function managedHooksPresent(adapter, hooksPath, hooksDir, repoRoot) {
+    const managedEntries = adapter === 'cursor'
+        ? getManagedHookEntries(process.platform, hooksDir, repoRoot)
+        : adapter === 'claude'
+            ? getClaudeManagedHookEntries(process.platform, hooksDir, repoRoot)
+            : getCodexManagedHookEntries(process.platform, hooksDir, repoRoot);
+    if (!existsSync(hooksPath)) {
+        return false;
+    }
+    const content = await readFile(hooksPath, 'utf8');
+    if (adapter === 'cursor') {
+        const hooksFile = JSON.parse(content);
+        return managedEntries.every(({ event, definition }) => (hooksFile.hooks?.[event] ?? []).some((entry) => entry.command === definition.command && entry.matcher === definition.matcher));
+    }
+    if (adapter === 'claude') {
+        const settings = JSON.parse(content);
+        return managedEntries.every(({ event, definition }) => (settings.hooks?.[event] ?? []).some((entry) => entry.matcher === definition.matcher &&
+            entry.hooks?.some((hook) => hook.command === definition.command)));
+    }
+    return managedEntries.every(({ definition }) => content.includes(definition.command));
+}
+export async function collectHealthSnapshot(options = {}) {
+    const repoRoot = path.resolve(options.targetDir ?? process.cwd());
+    const adapter = options.adapter ?? detectAdapterName(repoRoot);
+    const layout = getAdapterLayout(adapter);
+    const configPath = layout.configPath(repoRoot);
+    let configPresent = existsSync(configPath);
+    let installScope = 'project';
+    let judgeIssues = [];
+    let judgeWarnings = [];
+    let judgeNotes = [];
+    let containmentPosture = 'best-effort';
+    let containmentWarnings = [];
+    const additionalRiskSignals = [];
+    let l1FullActive = false;
+    if (configPresent) {
+        try {
+            const layered = await loadLayeredConfig(repoRoot, adapter);
+            installScope = layered.config.installScope === 'global' ? 'global' : 'project';
+            const judgeDoctor = await diagnoseJudge(layered.config);
+            judgeIssues = judgeDoctor.issues;
+            judgeWarnings = judgeDoctor.warnings;
+            judgeNotes = judgeDoctor.notes;
+            const sandbox = await sandboxStatus({ targetDir: repoRoot });
+            l1FullActive = sandbox.l1FullActive;
+            containmentPosture = l1FullActive ? 'l1-full' : 'best-effort';
+            if (!layered.config.sandbox.enabled || layered.config.sandbox.runtime === 'none') {
+                containmentWarnings.push('sandbox runtime is not enabled');
+            }
+            if (!layered.config.egress.enabled) {
+                containmentWarnings.push('egress proxy is not enabled');
+            }
+            else if (!sandbox.l1Full.egressProxyRunning) {
+                containmentWarnings.push('egress proxy is not running for this repository');
+            }
+            if (layered.config.controlPlane.isolation.mode === 'none') {
+                containmentWarnings.push('control-plane isolation mode is none');
+            }
+            if (!layered.config.approvalSigning.required) {
+                containmentWarnings.push('approval signing is not required');
+            }
+            if (layered.config.judge.provider === 'openai-compatible') {
+                additionalRiskSignals.push('cloud judge enabled: redacted command text may be sent to an external provider');
+            }
+        }
+        catch {
+            configPresent = false;
+        }
+    }
+    if (!configPresent) {
+        containmentWarnings = ['belay config is missing or unreadable'];
+    }
+    const scopedPaths = resolveScopedPaths(layout, installScope, repoRoot);
+    const hooksPath = scopedPaths.hooksSettingsPath;
+    const hooksDir = scopedPaths.hooksDir;
+    const corePath = path.join(scopedPaths.runtimeDir, 'core.mjs');
+    const skillPath = path.join(scopedPaths.skillsDir, 'SKILL.md');
+    const commandsPath = scopedPaths.commandsDir
+        ? path.join(scopedPaths.commandsDir, 'belay-approve.md')
+        : undefined;
+    const runtimePresent = existsSync(corePath);
+    const runnerPresent = existsSync(path.join(hooksDir, 'belay-runner')) ||
+        existsSync(path.join(hooksDir, 'belay-runner.cmd'));
+    const hooksInstalled = existsSync(hooksPath) && runnerPresent;
+    let managedHooksOk = false;
+    if (hooksInstalled) {
+        try {
+            managedHooksOk = await managedHooksPresent(adapter, hooksPath, hooksDir, repoRoot);
+        }
+        catch {
+            managedHooksOk = false;
+        }
+    }
+    const skillInstalled = existsSync(skillPath) ||
+        skillCandidates(adapter, repoRoot).some((candidate) => existsSync(candidate));
+    const floorInstalled = configPresent && hooksInstalled && managedHooksOk && runtimePresent;
+    const skillOnly = skillInstalled && !floorInstalled;
+    const missingArtifacts = [];
+    if (configPresent) {
+        for (const artifact of [
+            path.join(hooksDir, 'belay-runner'),
+            path.join(hooksDir, 'belay-before-submit.mjs'),
+            path.join(hooksDir, 'belay-shell-gate.mjs'),
+            path.join(hooksDir, 'belay-tool-gate.mjs'),
+            corePath,
+        ]) {
+            if (!existsSync(artifact)) {
+                missingArtifacts.push(artifact);
+            }
+        }
+    }
+    return {
+        repoRoot,
+        adapter,
+        installScope,
+        configPath,
+        hooksPath,
+        skillPath,
+        commandsPath,
+        configPresent,
+        hooksInstalled,
+        managedHooksOk,
+        runtimePresent,
+        skillInstalled,
+        skillOnly,
+        commandsInstalled: commandsPath ? existsSync(commandsPath) : false,
+        floorInstalled,
+        missingArtifacts,
+        judgeIssues,
+        judgeWarnings,
+        judgeNotes,
+        containmentPosture,
+        containmentWarnings,
+        additionalRiskSignals,
+        l1FullActive,
+    };
+}

package/dist/commands/init-wizard.d.ts

@@ -0,0 +1,16 @@
+import type { AdapterName, InitOptions } from '../types.js';
+export interface WizardAnswers {
+    adapter: AdapterName;
+    scope: 'project' | 'global';
+    withSkill: boolean;
+    dogfood: boolean;
+}
+export declare function buildInitOptionsFromWizard(answers: WizardAnswers, targetDir?: string): InitOptions;
+export declare function runInitWizard(options?: {
+    targetDir?: string;
+}): Promise<{
+    repoRoot: string;
+    withSkill: boolean;
+    dogfood: boolean;
+    adapter: import("../adapters/layouts/types.js").AdapterName;
+}>;

package/dist/commands/init-wizard.js

@@ -0,0 +1,50 @@
+import { stdin as input, stdout as output } from 'node:process';
+import readline from 'node:readline/promises';
+import { initProject } from '../installer.js';
+function parseAdapter(value) {
+    const normalized = (value ?? 'cursor').trim().toLowerCase();
+    if (normalized === 'claude' || normalized === 'codex' || normalized === 'cursor') {
+        return normalized;
+    }
+    throw new Error(`Unknown adapter: ${value ?? '(empty)'}`);
+}
+function parseScope(value) {
+    const normalized = (value ?? 'project').trim().toLowerCase();
+    if (normalized === 'global' || normalized === 'project') {
+        return normalized;
+    }
+    throw new Error(`Unknown scope: ${value ?? '(empty)'}`);
+}
+function parseYesNo(value, defaultValue) {
+    const normalized = (value ?? (defaultValue ? 'y' : 'n')).trim().toLowerCase();
+    if (['y', 'yes', 'true', '1'].includes(normalized)) {
+        return true;
+    }
+    if (['n', 'no', 'false', '0'].includes(normalized)) {
+        return false;
+    }
+    return defaultValue;
+}
+export function buildInitOptionsFromWizard(answers, targetDir) {
+    return {
+        targetDir,
+        adapter: answers.adapter,
+        scope: answers.scope,
+        withSkill: answers.withSkill,
+        dogfood: answers.dogfood,
+    };
+}
+export async function runInitWizard(options = {}) {
+    const rl = readline.createInterface({ input, output });
+    try {
+        output.write('belay init wizard\n');
+        const adapter = parseAdapter(await rl.question('Adapter (cursor/claude/codex) [cursor]: '));
+        const scope = parseScope(await rl.question('Install scope (project/global) [project]: '));
+        const withSkill = parseYesNo(await rl.question('Install SKILL.md and slash commands? (y/n) [y]: '), true);
+        const dogfood = parseYesNo(await rl.question('Start in audit dogfood mode? (y/n) [n]: '), false);
+        return initProject(buildInitOptionsFromWizard({ adapter, scope, withSkill, dogfood }, options.targetDir));
+    }
+    finally {
+        rl.close();
+    }
+}

package/dist/commands/metrics.d.ts

@@ -0,0 +1,7 @@
+import type { AuditMetricsReport } from '../core/audit-metrics.js';
+export interface MetricsOptions {
+    targetDir?: string;
+    json?: boolean;
+}
+export declare function metricsProject(options?: MetricsOptions): Promise<AuditMetricsReport>;
+export declare function formatMetricsReport(report: AuditMetricsReport): string;

package/dist/commands/metrics.js

@@ -0,0 +1,89 @@
+import { readFile } from 'node:fs/promises';
+import path from 'node:path';
+import { loadConfigFile } from '../config-io.js';
+import { computeAuditMetrics, parseAuditNdjson } from '../core/audit-metrics.js';
+export async function metricsProject(options = {}) {
+    const repoRoot = path.resolve(options.targetDir ?? process.cwd());
+    const config = await loadConfigFile(repoRoot);
+    const auditLogPath = path.join(repoRoot, config.audit.logPath);
+    let raw = '';
+    try {
+        raw = await readFile(auditLogPath, 'utf8');
+    }
+    catch {
+        raw = '';
+    }
+    const records = parseAuditNdjson(raw);
+    return computeAuditMetrics(records, {
+        auditLogPath: config.audit.logPath,
+        mode: config.mode,
+        unknownLocalEffect: config.policy.unknownLocalEffect,
+    });
+}
+export function formatMetricsReport(report) {
+    const lines = [
+        `belay metrics for ${report.auditLogPath}`,
+        `Schema: v${report.schemaVersion}`,
+        `Gate events: ${report.gateEvents}`,
+        `Would-block: ${report.wouldBlockCount} (${(report.wouldBlockRate * 100).toFixed(1)}%)`,
+        `Approvals recorded during audit: ${report.approvalRecordedCount}`,
+    ];
+    if (report.approvalLatency.count > 0) {
+        lines.push(`Approval latency: median ${report.approvalLatency.medianMs ?? 0}ms, p95 ${report.approvalLatency.p95Ms ?? 0}ms (${report.approvalLatency.count} samples)`);
+    }
+    if (report.bypassAttemptCount > 0) {
+        lines.push(`Bypass attempts detected: ${report.bypassAttemptCount}`);
+    }
+    if (Object.keys(report.byVerdict).length > 0) {
+        lines.push('', 'By verdict:');
+        for (const [verdict, count] of Object.entries(report.byVerdict).sort((a, b) => b[1] - a[1])) {
+            lines.push(`- ${verdict}: ${count}`);
+        }
+    }
+    const v2Buckets = [
+        ['location', report.byLocation],
+        ['opacity', report.byOpacity],
+        ['effect', report.byEffect],
+        ['confidence', report.byConfidence],
+    ];
+    for (const [axis, bucket] of v2Buckets) {
+        if (Object.keys(bucket).length > 0) {
+            lines.push('', `By ${axis}:`);
+            for (const [value, count] of Object.entries(bucket).sort((a, b) => b[1] - a[1])) {
+                lines.push(`- ${value}: ${count}`);
+            }
+        }
+    }
+    if (Object.keys(report.gateEventsByDay).length > 0) {
+        lines.push('', 'Gate events by day:');
+        for (const [day, count] of Object.entries(report.gateEventsByDay).sort()) {
+            lines.push(`- ${day}: ${count}`);
+        }
+    }
+    if (report.noisyRuleCandidates.length > 0) {
+        lines.push('', 'Noisy rule candidates:');
+        for (const rule of report.noisyRuleCandidates) {
+            lines.push(`- ${rule.reason}: ${(rule.approvalRate * 100).toFixed(0)}% approved after deny (${rule.approvedCount}/${rule.denyCount})`);
+        }
+    }
+    if (Object.keys(report.byReason).length > 0) {
+        lines.push('', 'By reason:');
+        for (const [reason, count] of Object.entries(report.byReason).sort((a, b) => b[1] - a[1])) {
+            lines.push(`- ${reason}: ${count}`);
+        }
+    }
+    if (report.topWouldBlockSummaries.length > 0) {
+        lines.push('', 'Top would-block summaries:');
+        for (const entry of report.topWouldBlockSummaries) {
+            lines.push(`- [${entry.reason}] x${entry.count}: ${entry.summary}`);
+        }
+    }
+    if (report.dogfood.notes.length > 0) {
+        lines.push('', 'Dogfood notes:');
+        for (const note of report.dogfood.notes) {
+            lines.push(`- ${note}`);
+        }
+        lines.push('', report.dogfood.readyForEnforce ? 'Ready for enforce: yes' : 'Ready for enforce: not yet');
+    }
+    return `${lines.join('\n')}\n`;
+}

package/dist/commands/recover.d.ts

@@ -0,0 +1,3 @@
+import type { RecoverOptions, RecoverReport } from '../types.js';
+export declare function recoverProject(options?: RecoverOptions): Promise<RecoverReport>;
+export declare function formatRecoverReport(report: RecoverReport): string;

package/dist/commands/recover.js

@@ -0,0 +1,105 @@
+import path from 'node:path';
+import { loadConfigFile } from '../config-io.js';
+import { buildRecoverAdvice, RECOVER_DISCLAIMER, } from '../core/recover-advice.js';
+import { probeGitState } from '../core/recover-git-probe.js';
+import { selectRecoverTarget } from '../core/recover-select.js';
+import { loadAuditRecords } from './audit.js';
+import { classifyForReport } from './classify-for-report.js';
+export async function recoverProject(options = {}) {
+    const repoRoot = path.resolve(options.targetDir ?? process.cwd());
+    const config = await loadConfigFile(repoRoot);
+    let target = null;
+    const extraWarnings = [];
+    if (options.command) {
+        extraWarnings.push('--command re-runs shell classification and may invoke Tier1 judge (classification only — no recovery commands are executed). Prefer audit-based recovery when possible.');
+        const classified = await classifyForReport({
+            targetDir: repoRoot,
+            command: options.command,
+            kind: 'shell',
+        });
+        target = {
+            summary: classified.input,
+            reason: classified.result.reason,
+            effect: classified.result.v2?.effect,
+            location: classified.result.v2?.location,
+            permission: classified.permission,
+            assessment: classified.result.assessment,
+        };
+    }
+    else {
+        const records = await loadAuditRecords(repoRoot);
+        target = selectRecoverTarget(records, options);
+    }
+    const git = await probeGitState(repoRoot);
+    if (!target) {
+        return {
+            repoRoot,
+            recoverable: false,
+            confidence: 'medium',
+            disclaimer: [...RECOVER_DISCLAIMER],
+            advice: ['No recoverable audit events found in the selected window.'],
+            warnings: ['Specify --fingerprint, --since, or --command to narrow recovery advice.'],
+        };
+    }
+    const advice = buildRecoverAdvice({
+        repoRoot,
+        target,
+        git,
+        minAssessmentConfidence: config.policy.confidenceThresholds.flag,
+    });
+    return {
+        repoRoot,
+        target: {
+            timestamp: target.timestamp,
+            fingerprint: target.fingerprint,
+            summary: target.summary,
+            reason: target.reason,
+            effect: target.effect,
+            location: target.location,
+            permission: target.permission,
+        },
+        ...advice,
+        warnings: [...extraWarnings, ...advice.warnings],
+    };
+}
+export function formatRecoverReport(report) {
+    const lines = [
+        `belay recover for ${report.repoRoot}`,
+        '',
+        'Disclaimer:',
+        ...report.disclaimer.map((line) => `- ${line}`),
+        '',
+    ];
+    if (report.target) {
+        lines.push('Target:');
+        if (report.target.timestamp) {
+            lines.push(`- time: ${report.target.timestamp}`);
+        }
+        if (report.target.fingerprint) {
+            lines.push(`- fingerprint: ${report.target.fingerprint}`);
+        }
+        lines.push(`- reason: ${report.target.reason}`);
+        if (report.target.effect) {
+            lines.push(`- effect: ${report.target.effect}`);
+        }
+        if (report.target.location) {
+            lines.push(`- location: ${report.target.location}`);
+        }
+        lines.push(`- summary: ${report.target.summary}`);
+        lines.push('');
+    }
+    lines.push(`Recoverable: ${report.recoverable ? 'possibly' : 'unlikely'} (confidence=${report.confidence})`);
+    lines.push('');
+    lines.push('Advice:');
+    for (const line of report.advice) {
+        lines.push(`- ${line}`);
+    }
+    if (report.warnings.length > 0) {
+        lines.push('');
+        lines.push('Warnings:');
+        for (const warning of report.warnings) {
+            lines.push(`- ${warning}`);
+        }
+    }
+    return `${lines.join('\n')}\n`;
+}

package/dist/commands/report.d.ts

@@ -0,0 +1,3 @@
+import type { AuditVisibilityReport, ReportOptions } from '../types.js';
+export declare function reportProject(options?: ReportOptions): Promise<AuditVisibilityReport>;
+export declare function formatReport(report: AuditVisibilityReport): string;

package/dist/commands/report.js

@@ -0,0 +1,65 @@
+import path from 'node:path';
+import { loadConfigFile } from '../config-io.js';
+import { detectFenceDrift, formatAskBreakdown, summarizeAuditVisibility, } from '../core/audit-summary.js';
+import { loadAuditRecords } from './audit.js';
+export async function reportProject(options = {}) {
+    const repoRoot = path.resolve(options.targetDir ?? process.cwd());
+    const config = await loadConfigFile(repoRoot);
+    const auditLogPath = path.join(repoRoot, config.audit.logPath);
+    const records = await loadAuditRecords(repoRoot);
+    const filter = {
+        since: options.since,
+        until: options.until,
+    };
+    const summary = summarizeAuditVisibility(records, filter, {
+        recentAskLimit: options.limit ?? 10,
+    });
+    const drift = detectFenceDrift(summary, {
+        threshold: config.policy.fenceWarnThreshold,
+    });
+    return {
+        repoRoot,
+        auditLogPath,
+        ...summary,
+        warnings: drift.warnings,
+        notes: drift.notes,
+    };
+}
+export function formatReport(report) {
+    const lines = [
+        `belay report for ${report.repoRoot}`,
+        `Audit log: ${report.auditLogPath}`,
+        '',
+        `Gate events: ${report.gateEvents}`,
+        ...formatAskBreakdown(report),
+        `Flag (allow_flagged): ${report.flagCount}`,
+        `Allow (silent pass): ${report.allowCount}`,
+        `Silent-pass rate: ${(report.silentPassRate * 100).toFixed(1)}%`,
+        '',
+    ];
+    if (report.warnings.length > 0) {
+        lines.push('Warnings:');
+        for (const warning of report.warnings) {
+            lines.push(`- ${warning}`);
+        }
+        lines.push('');
+    }
+    if (report.notes.length > 0) {
+        lines.push('Notes:');
+        for (const note of report.notes) {
+            lines.push(`- ${note}`);
+        }
+        lines.push('');
+    }
+    if (report.recentAsks.length === 0) {
+        lines.push('No recent asks in the selected period.');
+    }
+    else {
+        lines.push('Recent asks:');
+        for (const ask of report.recentAsks) {
+            const when = ask.timestamp ?? 'unknown-time';
+            lines.push(`- [${when}] (${ask.tier}) ${ask.reason} — ${ask.summary}`);
+        }
+    }
+    return `${lines.join('\n')}\n`;
+}

package/dist/commands/revoke.d.ts

@@ -0,0 +1,5 @@
+import type { RevokeOptions } from '../types.js';
+export declare function revokeApproval(options: RevokeOptions): Promise<{
+    ok: boolean;
+    message: string;
+}>;

package/dist/commands/revoke.js

@@ -0,0 +1,22 @@
+import path from 'node:path';
+import { loadApprovalState, loadConfigFile, saveApprovalState } from '../config-io.js';
+import { compactApprovals } from '../core/approval.js';
+export async function revokeApproval(options) {
+    const repoRoot = path.resolve(options.targetDir ?? process.cwd());
+    const config = await loadConfigFile(repoRoot);
+    const pending = await loadApprovalState(repoRoot, 'pending-approvals.json', config);
+    const compacted = compactApprovals(pending);
+    const index = compacted.approvals.findIndex((approval) => approval.approvalId === options.approvalId);
+    if (index === -1) {
+        return {
+            ok: false,
+            message: `Pending approval ${options.approvalId} not found or already expired.`,
+        };
+    }
+    compacted.approvals.splice(index, 1);
+    await saveApprovalState(repoRoot, 'pending-approvals.json', compacted, config);
+    return {
+        ok: true,
+        message: `Revoked pending approval ${options.approvalId}.`,
+    };
+}

package/dist/commands/simulate.d.ts

@@ -0,0 +1,14 @@
+export interface SimulateOptions {
+    targetDir?: string;
+    configPath: string;
+    json?: boolean;
+}
+export declare function simulateProject(options: SimulateOptions): Promise<{
+    candidateConfigPath: string;
+    totalRecords: number;
+    changedCount: number;
+    allowToDenyCount: number;
+    denyToAllowCount: number;
+    diffs: import("../core/reclassify.js").ReclassifyDiff[];
+}>;
+export declare function formatSimulateReport(report: Awaited<ReturnType<typeof simulateProject>>): string;

package/dist/commands/simulate.js

@@ -0,0 +1,55 @@
+import { existsSync } from 'node:fs';
+import { readFile } from 'node:fs/promises';
+import path from 'node:path';
+import { loadConfigFile } from '../config-io.js';
+import { parseAuditNdjson, toAuditRecord } from '../core/audit-metrics.js';
+import { mergeConfig } from '../core/config.js';
+import { diffReclassification } from '../core/reclassify.js';
+export async function simulateProject(options) {
+    const repoRoot = path.resolve(options.targetDir ?? process.cwd());
+    const currentConfig = await loadConfigFile(repoRoot);
+    if (!existsSync(options.configPath)) {
+        throw new Error(`Candidate config not found: ${options.configPath}`);
+    }
+    const candidateRaw = JSON.parse(await readFile(options.configPath, 'utf8'));
+    const candidateConfig = mergeConfig(candidateRaw, currentConfig);
+    const auditLogPath = path.join(repoRoot, currentConfig.audit.logPath);
+    let raw = '';
+    try {
+        raw = await readFile(auditLogPath, 'utf8');
+    }
+    catch {
+        raw = '';
+    }
+    const records = parseAuditNdjson(raw).map(toAuditRecord);
+    const diffs = (await Promise.all(records.map((record) => diffReclassification(record, candidateConfig, repoRoot)))).filter((diff) => diff !== null);
+    const allowToDeny = diffs.filter((diff) => (diff.previousVerdict === 'allow' || diff.previousVerdict === 'allow_flagged') &&
+        diff.nextVerdict === 'deny_pending_approval');
+    const denyToAllow = diffs.filter((diff) => diff.previousVerdict === 'deny_pending_approval' &&
+        (diff.nextVerdict === 'allow' || diff.nextVerdict === 'allow_flagged'));
+    return {
+        candidateConfigPath: options.configPath,
+        totalRecords: records.length,
+        changedCount: diffs.length,
+        allowToDenyCount: allowToDeny.length,
+        denyToAllowCount: denyToAllow.length,
+        diffs,
+    };
+}
+export function formatSimulateReport(report) {
+    const lines = [
+        `simulate ${report.candidateConfigPath}`,
+        `Records scanned: ${report.totalRecords}`,
+        `Verdict changes: ${report.changedCount}`,
+        `allow/flagged → deny: ${report.allowToDenyCount}`,
+        `deny → allow/flagged: ${report.denyToAllowCount}`,
+        '',
+    ];
+    for (const diff of report.diffs.slice(0, 30)) {
+        lines.push(`- ${diff.summary ?? diff.fingerprint}: ${diff.previousVerdict}/${diff.previousReason} → ${diff.nextVerdict}/${diff.nextReason}`);
+    }
+    if (report.diffs.length > 30) {
+        lines.push(`... ${report.diffs.length - 30} more`);
+    }
+    return `${lines.join('\n')}\n`;
+}

package/dist/commands/status.d.ts

@@ -0,0 +1,5 @@
+import { pendingApprovalsPath } from '../config-io.js';
+import type { StatusOptions, StatusReport } from '../types.js';
+export declare function statusProject(options?: StatusOptions): Promise<StatusReport>;
+export declare function formatStatusReport(report: StatusReport): string;
+export { pendingApprovalsPath };